Gartner recommends immediately replacing IIS with another alternative

[spidey07]

Talk about a death-blow. This is from Gartners recent report on Microsoft Security and the Nimda worm.

Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS. Sufficient operational testing should follow to ensure that the initial wave of security vulnerabilities every software product experiences has been uncovered and fixed. This move should include any Microsoft .NET Web services, which requires the use of IIS. Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability).

 

[bignick]

It will never happen where I work. 90% of our web-based apps are built using ASP. We could go and buy chilisoft ASP and run our apps on a *nix box with apache, but it would be a cold day in hell when that happens.

 

[spidey07]

show the Gartner research to your CIO and call it a "strategic initiative".

that'll give it some weight :Q

 

[Rainsford]

<< It will never happen where I work. 90% of our web-based apps are built using ASP. We could go and buy chilisoft ASP and run our apps on a *nix box with apache, but it would be a cold day in hell when that happens. >>



I still don't understand why people use ASP. It's just Microsoft's way of taking an idea that is free (PHP) and writing (badly I might add) their own proprietary version. I know they aren't exactly alike, but I'm pretty sure that anything ASP can do you can do in PHP too. And PHP is free. And it will work on almost any platform. What's so great about ASP? BTW, I've tried chilisoft ASP with Apache and I found that the ASP stuff I'd written ran a lot slower than on IIS. Since I don't have access to Win2k or WinNT server and I wanted more than 15 connections, I decided to go with PHP and Apache on Linux. Learning PHP was kind of a pain, but it has turned out a lot better in the end. Plus I think PHP is easier than ASP. I donno, JMHO.

 

[spidey07]

I'm sure the use of IIS is a religous battle much like intel/amd (didn't most PC manufactures announce they were dropping AMD hehehe ), but this is a really strong statement by a research firm that many companies put faith in.

 

[Shadow07]

It's not that it's a religous thing, but rather a training issue. PHP uses a custom application language, where-as ASP you can use JSCRIPT, Java, VBScript, or VB. You can't with PHP. There are PHP ports for IIS, but why would you when using PHP on a *nix box is much better. But, I completely agree that Microsoft NEEDS to fix IIS. You know, just like what they have with NT and 2000.

I know for a fact that my company will never port to anything else.

I would look at either SecureIIS or using the IIS Lockdown tool to try to protect your servers. The one main area of concern that I have with IIS is that mainy system admins do not know how to properly secure the IIS box. Most install the FrontPage Server Extensions, when they don't need them. They also install the IIS Admin web add-on, when that is REALLY not needed. They also install the IIS Samples, which should never be installed.

I think the IIS Lockdown tool is a good step in the right direction. ALL IIS Admins should use this tool. Hell, if not that tool, then import the HIGHSEC Local Security policy to your Windows 2000 IIS server. That will lock it down, but not as much with the IIS Lockdown tool.